The botnet drives clicks through 202 sites for advertiser cash.

Security researchers have discovered a botnet that is stealing millions of dollars per month from advertisers. The botnet does so by simulating click-throughs on display ads hosted on at least 202 websites. Revealed and dubbed "Chameleon" by the Web analytics firm spider.io because of its ability to fool advertisers' behavior-tracking algorithms, the botnet is the first found to use display advertisements to generate fraudulent income for its masters.

In a blog post today, spider.io reported that the company had been tracking Chameleon since December of 2012. Simulating multiple concurrent browser sessions with websites, each bot is able to interact with Flash and JavaScript based ads. So far, more than 120,000 Windows PCs have been identified—95 percent of them with IP addresses associated with US residential Internet services. The company has issued a blacklist of the 5,000 worst-offending IP addresses for advertisers to use to protect themselves from fraud.

While in many respects the botnet simulates human activity on webpages to fool countermeasures to clickfraud, it generates random mouse clicks and mouse pointer traces across pages. This makes it relatively easy for bot-infected systems to be identified over time. The bot is also unstable because of the heavy load it puts on the infected machine, and its frequent crashes can also be used as a signature to identify infected systems.

Spider.io estimates that the botnet is responsible for at least nine billion of the ad impressions served by the 202 websites it visits—out of a total of 14 billion—and at least seven million unique ad-exchange cookies per month. At a 69-cent CPM cost for advertisements served up to the botnet, it means the botnet causes $6.2 million per month in advertising losses.

34 Reader Comments

I should probably feel bad for the advertisers losing money, since they're funding the internet as we know it... but I can't really.

The people whose computers are infected, I feel bad for them. Maybe one day security for computers won't require endless vigilance and keeping up to date with seemingly-endless security holes. Maybe. (Probably not.)

OK good? I know Internet ads are needed to pay for the net. But I have a hard time with sympathy with the ad shysters. The ones I feel some sorrow/sympathy for is the person infected with the bot. Even there it is limited because the should be keeping there computers clean.

In order for the botnet to make money wouldn't they need to be the advertisement provider and then use it as a means of getting extra clicks and impressions? Otherwise what is the point? To make someone else millions?

In order for the botnet to make money wouldn't they need to be the advertisement provider and then use it as a means of getting extra clicks and impressions? Otherwise what is the point? To make someone else millions?

That's a good point. Who's losing money and who's making it?

/chaotic evil -- I'd love to run one of these for a few months to make enough money to retire, I'll tell you what.

Did I read the article correctly - the security company have known about this malware since December, 4 months ago, and NOW we're being told about it? I consider that to be somewhat irresponsible. As others have commented, Internet ads can be incredibly intrusive and annoying so feeling any sympathy whatsoever with the ad companies is really quite difficult. Ars is one of the very few sites on which I disable ad block...

In order for the botnet to make money wouldn't they need to be the advertisement provider and then use it as a means of getting extra clicks and impressions? Otherwise what is the point? To make someone else millions?

Exactly, the botnet targets 202 websites and is making those owners money fraudulently. Or was, assuming advertisers will learn of this and stop paying, but ostensibly it's pretty simple to unleash different sites for it to target.

Edit: The 'stealing' would be from the advertisers who are paying for clicks they aren't really getting.

In order for the botnet to make money wouldn't they need to be the advertisement provider and then use it as a means of getting extra clicks and impressions? Otherwise what is the point? To make someone else millions?

Exactly, the botnet targets 202 websites and is making those owners money fraudulently. Or was, assuming advertisers will learn of this and stop paying, but ostensibly it's pretty simple to unleash different sites for it to target.

The controllers of the botnet and the owners of those websites are part of the same organization. So they're making money for themselves and not someone else. Just pointing that out in case someone didn't see the connection.

Basically, they set up 202 fake arstechnica's and sell ad slots on the side of their "content", which is usually unoriginal.

In order for the botnet to make money wouldn't they need to be the advertisement provider and then use it as a means of getting extra clicks and impressions? Otherwise what is the point? To make someone else millions?

The ads on a website generate a certain amount of money per click. They folks who run the site pay the botnet guys $50 to generate $500 worth of clicks in a given period of time. (Numbers here are made up, I have no idea what the going rate is) In many cases, botnet owners may also have websites with ads on them.

Did I read the article correctly - the security company have known about this malware since December, 4 months ago, and NOW we're being told about it? I consider that to be somewhat irresponsible. As others have commented, Internet ads can be incredibly intrusive and annoying so feeling any sympathy whatsoever with the ad companies is really quite difficult. Ars is one of the very few sites on which I disable ad block...

My impression was that they started tracking the behavior a while back, but hadn't nailed down the actual botnet until very recently.

Speaking as someone who has done affiliate advertising with websites, I find it hard to believe the dollar loss estimate given. Loads of ad clicks that don't lead to sales end up putting you in the "no conversions" pay scale as an affiliate. So like, a penny a click, not 69 cents.

Speaking as someone who has done affiliate advertising with websites, I find it hard to believe the dollar loss estimate given. Loads of ad clicks that don't lead to sales end up putting you in the "no conversions" pay scale as an affiliate. So like, a penny a click, not 69 cents.

CPM is cost per thousand clicks, not for each individual one.And this isn't affiliate (which would require purchases) but display ads, which pay you for showing them and people clicking (hence the bot).

I wonder how many of these botnets it will take for the advertising lobby to get something done about them. There's all this talk about copyright infringement, six strikes, etc., but millions of machines are running botnets that crack passwords, send and post spam, run DDOS attacks, etc., without anybody seeming to care.

When will get some legislation to force ISPs to disconnect you or slow you down considerably if they detect your machine running a bot? Why do we let our computers be part of criminal activity like this?

Speaking as someone who has done affiliate advertising with websites, I find it hard to believe the dollar loss estimate given. Loads of ad clicks that don't lead to sales end up putting you in the "no conversions" pay scale as an affiliate. So like, a penny a click, not 69 cents.

Indeed. I've had some clicks on my website that were in the $5.00+ range, for one click. No sales conversions here. That average can be skewed by higher CPM or CPC quite easily.

I'm surprised they found this out, considering most impressions are wasted on people who don't notice them, and any clicks are primarily accidents. Maybe the bots were feigning actual engagement, which threw them off since normal people don't interact with them.

Speaking as someone who has done affiliate advertising with websites, I find it hard to believe the dollar loss estimate given. Loads of ad clicks that don't lead to sales end up putting you in the "no conversions" pay scale as an affiliate. So like, a penny a click, not 69 cents.

That is a 0.69 cent CPM - cost per 1000 impressions. It's 9000000000 / 1000 * 0.69 = 6210000. I'm sure that not all advertisers are paying CPM, so that 0.69 CPM is some likely something this:(( total spend * percent of total impressions that went to botnet ) / total impressions served ) * 1000

Am I missing something, or does this imply that the website owners (who are getting money for the fake clicks on ads on their websites) are complicit? Somehow I feel like I'm missing some piece of the picture after reading this article.

I wonder how many of these botnets it will take for the advertising lobby to get something done about them. There's all this talk about copyright infringement, six strikes, etc., but millions of machines are running botnets that crack passwords, send and post spam, run DDOS attacks, etc., without anybody seeming to care.

When will get some legislation to force ISPs to disconnect you or slow you down considerably if they detect your machine running a bot? Why do we let our computers be part of criminal activity like this?

I guess your ISP could stream pop-ups into HTML responses you are receiving which say, "You may be infected with a virus."

Seriously, let's act smart and just have a human being call people. I'm sure nearly every purchase of internet service includes giving your phone number to them. What is the point if we're not going to use such information intelligently. Same logic which applies to getting nebulous billing statements from Apple regarding iOS in-game purchases - people are so used to ignoring trolling, phishing, and malware scams, they completely ignore any e-mail they weren't expecting.

If we're just going to keep embracing sloth as the approach to informing consumers of problems, at least add a neon colored noticed into their billing statement: "You have malware and will be disconnected in XX number of days."

In order for the botnet to make money wouldn't they need to be the advertisement provider and then use it as a means of getting extra clicks and impressions? Otherwise what is the point? To make someone else millions?

Exactly, the botnet targets 202 websites and is making those owners money fraudulently. Or was, assuming advertisers will learn of this and stop paying, but ostensibly it's pretty simple to unleash different sites for it to target.

The controllers of the botnet and the owners of those websites are part of the same organization. So they're making money for themselves and not someone else. Just pointing that out in case someone didn't see the connection.

Basically, they set up 202 fake arstechnica's and sell ad slots on the side of their "content", which is usually unoriginal.

I'm really curious about just how fake these sites are. I can't find a list of the 202 domains anywhere and spider.io didn't give specifics. They say that Chameleon was responsible for 9 out of a total of 14 billion impressions/month across those sites. That means that the sites were sill receiving 5 billion impressions/month from other sources, which is still a very large amount of traffic (and if genuine, would suggest that the sites do offer some sort of value to be generating all of those page views.)

It think there are two possible scenarios: Operators of legit websites decided to pay the botnet operators to enhance their ad revenue or the sites are 'fake' and the other 5 billion impressions are coming from equally shady sources (maybe another botnet.) I guess there is a possible third scenario in which the Chameleon operators unleashed their botnet just to show off, but it seems very unlikely that anyone would go through the trouble of creating a large, ad-fraud tailored botnet if they didn't intend to use it for financial gain.

I can't decide whether or not there is any significance to spider.io not releasing the list of sites. I suppose they may not want to alert the site operators by naming names if they are doing further investigation (although, you would think that releasing IPs of infected machines and a description of the botnet behavior should be more than enough to tip off anyone in cahoots.) Alternatively, if the sites were completely fake, spider.io may not have released the domains to prevent sending additional traffic their way (and contributing to more theft and possible distribution of malware in the process.) I guess we will have to wait for more details to find out.

Seriously, let's act smart and just have a human being call people. I'm sure nearly every purchase of internet service includes giving your phone number to them. What is the point if we're not going to use such information intelligently. Same logic which applies to getting nebulous billing statements from Apple regarding iOS in-game purchases - people are so used to ignoring trolling, phishing, and malware scams, they completely ignore any e-mail they weren't expecting.

Fair enough. But either way, something needs to be done. I was thinking of something that's at least semi-automated for the simple scaling issues. How many calls do you think a major ISP would have to make each month? And as long as there is no pain involved, only a fraction of people will bother doing something about their infected machines.

In order for the botnet to make money wouldn't they need to be the advertisement provider and then use it as a means of getting extra clicks and impressions? Otherwise what is the point? To make someone else millions?

Exactly, the botnet targets 202 websites and is making those owners money fraudulently. Or was, assuming advertisers will learn of this and stop paying, but ostensibly it's pretty simple to unleash different sites for it to target.

The controllers of the botnet and the owners of those websites are part of the same organization. So they're making money for themselves and not someone else. Just pointing that out in case someone didn't see the connection.

Basically, they set up 202 fake arstechnica's and sell ad slots on the side of their "content", which is usually unoriginal.

I'm really curious about just how fake these sites are. I can't find a list of the 202 domains anywhere and spider.io didn't give specifics. They say that Chameleon was responsible for 9 out of a total of 14 billion impressions/month across those sites. That means that the sites were sill receiving 5 billion impressions/month from other sources, which is still a very large amount of traffic (and if genuine, would suggest that the sites do offer some sort of value to be generating all of those page views.)

It think there are two possible scenarios: Operators of legit websites decided to pay the botnet operators to enhance their ad revenue or the sites are 'fake' and the other 5 billion impressions are coming from equally shady sources (maybe another botnet.) I guess there is a possible third scenario in which the Chameleon operators unleashed their botnet just to show off, but it seems very unlikely that anyone would go through the trouble of creating a large, ad-fraud tailored botnet if they didn't intend to use it for financial gain.

I can't decide whether or not there is any significance to spider.io not releasing the list of sites. I suppose they may not want to alert the site operators by naming names if they are doing further investigation (although, you would think that releasing IPs of infected machines and a description of the botnet behavior should be more than enough to tip off anyone in cahoots.) Alternatively, if the sites were completely fake, spider.io may not have released the domains to prevent sending additional traffic their way (and contributing to more theft and possible distribution of malware in the process.) I guess we will have to wait for more details to find out.

Wait, what now? Maybe some websites depend on advertising in order to stay in business or fund their operating model, but the existence of the internet isn't dependent upon advertising to stay up-and-running. Plenty of people operate websites completely free of ads, so obviously they don't need ads to remain online.

Thanks! That article led me to a guardian story where the author did a bit of an interview with a spider.io guy. Sounds like some of the sites might be at least somewhat legit.

Linked Article wrote:

But he declined to name any of the publishers being targeted by the bots, because they might be the targets of a scam run from outside – or, he suggested, "it could even be a single person within one of the companies, unbeknownst to others at the company."

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.